Skip to main content
banner image
venafi logo

How to Prevent Meltdown and Spectre from Compromising Machine Identities

How to Prevent Meltdown and Spectre from Compromising Machine Identities

Spectre and Meltdown vulnerabilties
January 17, 2018 | Shelley Boose

As we start 2018, security teams are facing two of the most serious security vulnerabilities in recent memory. Meltdown and Spectre are related hardware design exploits that affect almost every modern CPU. These exploits use an architectural technique known as “speculative execution” to read memory locations that are supposed to be reserved for the computer kernel. Both of these vulnerabilities have the potential to expose cryptographic keys, which would place your machine identities at risk.

Why these vulnerabilities are significant

Meltdown CVE-2017-5754) breaks the fundamental isolation barriers between applications run by users and the computer’s operating system; this barrier is normally highly protected. A successful exploit of Meltdown could allow even simple programs, such as the Java script that runs when a browser visits a web page, to access the memory and secrets of other applications and the operating system. Data leaked could include files, passwords and cryptographic keys.

The vulnerability Meltdown exists in almost every Intel processor manufactured after 1995. Furthermore, cloud providers without real hardware virtualization, such as those that rely on containers that share one Docker, LXC, or OpenVZ kernel, are susceptible to Meltdown.

Spectre (CVE-2017-5753 and CVE-2017-5715) breaks the isolation between different applications running on a CPU. A successful exploit could allow an attacker to steal a wide range of sensitive data from otherwise secure, error-free programs including; logins and passwords, credit card and financial data, and cryptographic keys. Ironically, the safety checks used by applications that follow secure coding practices actually increase the attack surface and may make applications more susceptible to Spectre. At present, Spectre has only been shown to break the isolation between user level applications, but it seems likely the attack can be developed further.

Practically every computing device is affected by Spectre, including laptops, desktops, tablets, smartphones and even cloud computing systems. Depending on the architecture of your cloud providers’ infrastructure, attackers may be able to use Spectre to steal data from multiple tenants. Cloud providers that use Intel CPUs and Xen PV as virtualization are particularly susceptible.

Spectre is more difficult to exploit than Meltdown but it is also more challenging to mitigate due to its generality. The original white paper even speculates that significant changes in microprocessor architecture might be needed to fully address the problem.

What’s the risk?

At the moment, there are no known exploits of these vulnerabilities in the wild. However, because of the severity of these vulnerabilities, experts expect that hackers will quickly develop programs to launch attacks now that detailed information is publicly available. We should also assume that these programs will make their way into standard attacker tool kits.

What you should do:
  1. Patch all systems now
    Patches for Meltdown are already available for Windows, Linux, and OS X and application vendors are rolling out patches. There is also work being done to harden software against future exploits of Spectre. We recommend that you monitor the availability of patches for your infrastructure and apply them as soon as they become available.
     
  2. Replace all keys and certificates on systems after you have patched
    It is important to note, since these vulnerabilities enable the exfiltration of machine identities, we strongly recommend that you rotate your keys once the requisite patches have been applied.

    If exploited by attackers these vulnerabilities will enable the exfiltration of key material. The best practice is to replace keys so that if any exfiltration has occurred, it will not enable an attack. A good analogy is an attack on user names and passwords -- if you think passwords could be in the wild you replace the passwords so they can’t be used in an attack.

Meltdown and Spectre are continuing evidence of the need to be able to quickly and automatically replace keys and certificates on a large scale. This capability is essential to maintaining effective protection for machine identities, making it foundational to every security strategy and architecture. Are you prepared to rotate large numbers of keys and certificates without disrupting your business?

Related blogs

Like this blog? We think you will love this.
hands of a puppet master, pulling strings
Featured Blog

Reductor Malware Cleverly Manipulates TLS

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Shelley Boose
Shelley Boose

Shelley is Director of PR and Content Marketing at Venafi. In her own words, "I help companies translate complex technologies into engaging and compelling, digital stories."

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat